Identity and Geekdom

Mobile Security with NFC on Android

A few years ago I was looking for a cheap, portable and easy to use secondary authentication system for personal use. I had stumbled upon the “YubiKey” from Yubico, which could potentially fit the bill for my own personal use case.

The Yubikey is a durable key fob that looks a bit like your standard USB storage drive. It works by generating a very long string of characters and the Key ID, which is sent to the Yubico authentication server on the internet for authentication. The Yubikey has 2 slots on device to allow you to use 2 different multi-factor authentication providers (Public and Private?) with the supplied management software. This provides a scenario where you authenticate with a known password, and a the device key One Time Password (OTP) as a secondary form of authentication which helps to mitigate you from password stealing techniques.

While this has been a great solution for using services like LastPass and a plugin for WordPress when accessing those services from a computer (It works on both a Windows PC and an Apple Mac on OSX without additional software) with a USB port, it does not work for mobile devices (iPhone, Blackberry, Android Devices, etc.) such as Smartphones or Tablets without a dedicated USB port.

When I had purchased my Yubikey, I had the option of getting the YubiKey standard, which only supports a USB connection to the device, or the YubiKey with RFID ability. Naturally, I chose to get the RFID model, knowing that shortly mobile devices would start to include the NFC (Near Field Communications) technology needed to communicate with the YubiKey device. The YubiKey’s NFC authentication mechanism is independent of it’s USB mechanism, so I am curious if it actually supports up to 3 different providers per key. I imagine a scenario where you could open your bank application of website, and enter your standard password, while holding your YubiKey close to the device to provide the OTP as a secondary authentication mechanism.

While Nokia has had NFC capable cell phones, and many other providers in the Asian countries also support it, the Samsung Nexus S was the first mainstream NFC capable phone in the US. The Nexus S apparently shipped with the NXP PN544 NFC chip which supports the MIFARE contactless protocol (as well as FeliCA). The YubiKey also supports MIFARE, so I see this as a potential very good use case, where you can have a single security device which works with USB capable computer as well as NFC capable mobile devices.

Now Apple appears to also be on their march for an NFC capable iPhone/iPad IOS Device, so as more and more mobile devices support NFC in the mainstream, security devices like the YubiKey start to become more attractive. I would like to see some more security measures such as only being able to use the NFC transmission only after the center button has been pressed. Though the 2-5cm range depicted in the documentation, I would worry about more powerful antennas being using to “swipe” the transmission from afar.

It appears that while we know the Samsung Nexus S has the ability to read NFC tags, it might also have the ability to write to NFC tags according to a post on Phandroid. As more and more developers start to experiment with Android and NFC we should see some really interesting use cases start to appear.

What do you think? Will we see RFID issues appear like we do with Passports and Credit Cards being sniped from a far? There have been security concerns with some of these contactless protocols in the past, but as they move more mainstream, will they prove to be a great benefit by bringing secondary authentication to the populace or will it be a new vector to be attacked?

NFC–Writing Tags with Nexus S

What do you think? Will we see RFID issues appear like we do with Passports and Credit Cards being sniped from a far? There have been security concerns with some of these contactless protocols in the past, but as they move more mainstream, will they prove to be a great benefit by bringing secondary authentication to the populace or will it be a new vector to be attacked?